openstack/keystone
Code Issues Proposed changes

Remove service policies from policy.v3cloudsample.json

Browse Source 
By incorporating system-scope and default roles, we've effectively
made these policies obsolete. We can simplify what we maintain and
provide a more consistent, unified view of default service behavior by
removing them.

Change-Id: Ifa2282481ee3fc544c1d50ac8e8972b0d3a5332e
Closes-Bug: 1804462
This commit is contained in:
Lance Bragstad 2018-11-21 15:45:50 +00:00
parent 7076d704ab
commit c83fcbc42a
3 changed files with 20 additions and 7 deletions

6
etc/policy.v3cloudsample.json

@ -10,12 +10,6 @@
"default": "rule:admin_required", "default": "rule:admin_required",
"identity:get_service": "rule:admin_required",
"identity:list_services": "rule:admin_required",
"identity:create_service": "rule:cloud_admin",
"identity:update_service": "rule:cloud_admin",
"identity:delete_service": "rule:cloud_admin",
"identity:get_limit_model": "", "identity:get_limit_model": "",
"identity:get_limit": "", "identity:get_limit": "",
"identity:list_limits": "", "identity:list_limits": "",

7
keystone/tests/unit/test_policy.py

@ -230,7 +230,12 @@ class PolicyJsonTestCase(unit.TestCase):
'identity:get_domain', 'identity:get_domain',
'identity:list_domains', 'identity:list_domains',
'identity:update_domain', 'identity:update_domain',
'identity:delete_domain' 'identity:delete_domain',
'identity:create_service',
'identity:get_service',
'identity:list_services',
'identity:update_service',
'identity:delete_service'
] ]
policy_keys = self._get_default_policy_rules() policy_keys = self._get_default_policy_rules()
for p in removed_policies: for p in removed_policies:

14
releasenotes/notes/bug-1804462-59ad43f98242dea0.yaml Normal file

@ -0,0 +1,14 @@
---
upgrade:
- |
[`bug 1804462 <https://bugs.launchpad.net/keystone/+bug/1804462>`_]
The service policies defined in ``policy.v3cloudsample.json`` have
been removed. These policies are now obsolete after incorporating
system-scope into the service API and implementing default roles.
fixes:
- |
[`bug 1804462 <https://bugs.launchpad.net/keystone/+bug/1804462>`_]
The service policies in ``policy.v3cloudsample.json`` policy file
have been removed in favor of better defaults in code. These
policies weren't tested exhaustively and were misleading to users
and operators.